DeepSQLi is a deep natural language processing based tool. This repository includes the test cases generate module and other dependencies required for reproduce the experiment.
These instructions will get you a copy of the project up and running on your local machine for development and testing purposes.
- Tomcat 5
- Java 1.4
- MySQL 5
(1) Each application is distributed as a WAR file in /SUT/*.war;
(2) Application's database is in WAR files. You can use the DB initialization script after loading SUT.
(2) /SUT/Instrument is used to output SQL statements in the SUT. Its specific execution steps are in /SUT/Instrument/README.md.
DeepSQLi uses a crawler to automatically parse the Web links of the SUT. We use Burp Suite (Professional Version) in the experiment.
(1) Download Burp Suite Pro from the official website;
(2) We first need to set the log path such as \Demo\demo.log in order to use the log file obtained by the crawler in the next step;
(3) Keep the browser agent consistent with the Burp Suite and start scanning the SUT.
In order to ensure the accuracy. DeepSQLi uses a powerful tool SQL Parser to determine whether or not a SQL statement is malicious.
(1) Download SQL Parser from the official website;
(2) Package it and record the path such as \Demo\demo.jar.
- python 3.4+
- pytorch 1.3.1
- torchtext 0.4.0
- spacy 2.2.2+
- tqdm
- dill
- numpy
- click
- jpype
python main.py -t <targetDomain> -l <logPath> -i <jarPath>
-
<targetDomain> is the target domain of SUT, such as
localhost/empldir -
<logPath> is the log path of SUT, such as
/demo/demo.log -
<jarPath> is the package path of SQL Parser, such as
/demo/demo.jar